Re: Defeating CAPTCHAs via Averaging

[noreply9871234 () ich-habe-fertig com]

On Thursday 01 February 2007 01:52, Andreas Beck wrote:
> No, but it can be easily defeated by changing the placement/appearance
> of the number(s) as well as that of the noise or by keeping both
> constant over reloads.
>
> What is exploited here, is the fact that noise and payload behave
> differently on reload. This allows to separate them.
Exactly, this is the point. 

> Please note, that averaging is a very simple technique to do that.
> Depending on the type of captcha, one can use methods that converge
> much more quickly. Simplest one would be to use the simple majority
> of pixel values or the median value, if slight global noise (e.g. from
> compression artefacts) is expected.
>
> This should yield almost perfect results with as low as 3 different
> images. Adding a tiny bit of spatial filtering might help as well.
My point of the initial article was NOT to demonstrate a new or especially 
clever way to defeat a captcha. This would not really be something for 
bugtraq as most of the captchas can be defeated by sophisticated 
cutting-edge computer recognision software (see http://www.captcha.net/). 

The main idea is to show how a design flaw (repeatedly presenting the 
same information with different obfuscation) can be used to compromise 
a captcha without the need for an especially clever algorithm. 
So, it's not about how to defeat the captcha by recognizing the text but 
how to defeat it by exploiting a design flaw. 

And the good thing is: This design flaw can easily be avoided. 
However, one has to be aware of it. 

Regards,
Wolfgang Wieser

Contact: wwieser (at) gmx -dot- de
PLEASE do not CC me when posting to the list; I am subscribed.